New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

服务端没有对用户注册信息进行校验 #22

Closed
CB2Git opened this Issue Nov 30, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@CB2Git

CB2Git commented Nov 30, 2017

如题,使用"非法的"用户信息注册,比如test~-1234567890等,直接使用注册接口会注册成功

@CB2Git

This comment has been minimized.

CB2Git commented Nov 30, 2017

获取用户收藏列表,不传递JSESSIONID,只传递loginUserName以及loginUserPassword即可获取到信息(密码保存在本地真的好么?),可以弄的和取消收藏的接口类似,使用JSESSIONID来校验登录状态>.<,ps:hongyang大大看了好多你的博客了啊!!!!

@CB2Git

This comment has been minimized.

CB2Git commented Nov 30, 2017

个人收藏列表第二页,没有取消收藏的选项,而是收藏的图标,点击没有反应。
测试用户:test_-863751944 密码:test_-863751944

@hongyangAndroid

This comment has been minimized.

Owner

hongyangAndroid commented Nov 30, 2017

非常感谢反馈~

  1. 收藏功能bug,已经修复;
  2. 对于账号脱敏的问题,之前是考虑希望触发到任何链接能保证自动登录,所以存储在cookie中;后面会考虑脱敏。

hongyangAndroid pushed a commit that referenced this issue Nov 30, 2017

@hongyangAndroid hongyangAndroid added the bug label Dec 1, 2017

@hongyangAndroid

This comment has been minimized.

Owner

hongyangAndroid commented Oct 24, 2018

账号自动登录,已经修改为token 机制,不再明文。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment